Solved: Configure IPsec VPN in aggressive mode on ASA 8.2.5

Deepak Kumar · ‎12-26-2017

My current Main mode IPsec VPN configuration on my ASA 8.2.5 as below

!

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set 3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs group1
crypto map outside_map 1 set peer 94.x.x.x
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto map Outside_map 1 set nat-t-disable
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400

!

tunnel-group 94.x.x.x type ipsec-l2l
tunnel-group 94.x.x.x ipsec-attributes
pre-shared-key *****
isakmp keepalive threshold 30 retry 5
!

----------------------------

Now I want to convert in aggresive mode. Please help to convert it. Becuase Other end Fortigate is recomemended in aggresive mode.

Thanks,

Deepak Kumar

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!

Bogdan Nita · ‎12-27-2017

The ASA accepts by default main mode as well as aggressive mode. You can check this using show crypto isakmp sa. The output will indicate MM for Main Mode or AM for Aggressive Mode.

In order to force the ASA to use aggressive mode when initiating a connection you can use:

crypto map outside_map 1 set ikev1 phase1-mode aggressive

Considering the version you are running is pretty old, it could be that the command is a little bit different. (isakmp instead of ikev1)

Also keep in mind that Aggressive Mode does not provide identity protection.

View solution in original post

Bogdan Nita · ‎12-27-2017

The ASA accepts by default main mode as well as aggressive mode. You can check this using show crypto isakmp sa. The output will indicate MM for Main Mode or AM for Aggressive Mode.

In order to force the ASA to use aggressive mode when initiating a connection you can use:

crypto map outside_map 1 set ikev1 phase1-mode aggressive

Considering the version you are running is pretty old, it could be that the command is a little bit different. (isakmp instead of ikev1)

Also keep in mind that Aggressive Mode does not provide identity protection.